Authentication is the act of establishing or confirming something or someone is what it/he/she claims to be. Authentication may involve, for example, confirming identity of a person, tracing the origins of an object, or tracing the origins of information received from a source. For many systems today, before access to the system is permitted, authentication is required. Many users encounter sites requiring authentication several times throughout a day. This authentication typically involves entering a password (e.g., submitting a username and password, or providing a card number and pin). Users commonly reuse passwords between multiple sites. To some, this is considered good security practice because it allows a user to remember his/her password.
A malicious user (e.g., a malicious computer program or an unauthorized person attempting to circumvent a security system) may attempt to use brute force to guess passwords, e.g., to gain access to a system or to mount a denial-of-service (DoS) attack. A denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. If a malicious user or their activity is not limited in some way, their activity can consume a system's computing resources and quickly lead to denial of service to the system's intended user(s). To avoid this scenario, many systems implement a maximum failed login policy to avoid system resources from being attacked. With such a policy, a user is permitted a certain number (e.g., three) failed logins before the system “locks-out” further login attempts, preventing any user from attempting to login to that account. This policy may be encountered by users of voicemail systems, computer application log-ins, and online account log-ins (e.g., at a bank website), for example. To “unlock” the account, an intended user may have to reset the password, which may involve contacting an information technology (IT) administrator, who may contact the intended user's manager or another individual to verify access privileges, and/or waiting some time (e.g., 24 hours or more) before the account is unlocked.